Q1 Doug is conducting a port scan of a target network. He knows that his client target networkhas a web server and that there is a mail server which is up and running. Dough has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4

a. UDP is filtered by a gatewayb. The packet TTL value is too low and cannot reach the targetc. The host might be downd. The destination network might be downe. The TCP windows size does not matchf. ICMP is filterd by a gateway

ans: A,B,C,D

i thought the answer is A,C,D,F

Q2 You have the SOA presented below in you Zone. Your secondary servers have not been able to contact your primary server to synchronise information. How long will the secondary servers attempt to conact the primary server before it considers that zone is dead and stops responding to queries? college.edu (200302028 3600 3600 6+4800 3600)

a. 1 dayb. 1 hourc. 1 weekd. 1 month

Answer: C

i thought the answer is 1 hour??60sec x 60 = 3600seconds

Q3 Joe worried that network adminstrator miht detect the wiretap program by querying the interfaces to see of they are running in promiscuous mode.

a. Block output to the console whenever the user runs ifconfig command by running screen capture utilityb. Run the wiretap program in stealth mode from being detected by the ifconfig commandc. Repalce original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the consoled. You cannor disable Promiscuous mode detection on Linux Systems.

A. Configure web server to deny alerts from these attacksB. Create rules in IDS to alert on strange Unicode requestsC. Use SSL authentication on Web ServersD. Enable Active scri[ts detection at the firewall and routers.

Answer given is B

The only reason i thought of its IDS deployed infront of the web server (DMZ segment)

what about A? can we configure the webserver to deny unicode request?

5.Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides tosave the page locally, so that he can modify the page variables. In the context of web application security,what do you think Bubba has changes?

A. A hidden form field value.B. A hidden price value.C. An integer variable.D. A page cannot be changed locally, as it is served by a web server.

Answer given is A.

I was thinking whether the answer could be D.Even the entire page is downloaded into our PC, we changed the value locally, but it doesnt reflect in the server such via POST method...

dareth wrote:Q1 Doug is conducting a port scan of a target network. He knows that his client target networkhas a web server and that there is a mail server which is up and running. Dough has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4

a. UDP is filtered by a gatewayb. The packet TTL value is too low and cannot reach the targetc. The host might be downd. The destination network might be downe. The TCP windows size does not matchf. ICMP is filterd by a gateway

ans: A,B,C,D

i thought the answer is A,C,D,F

Although b. is a unlikely situation I would go for b. rather than f. Why ? There are manyways u can do a port scan, its not necessarily ICMP ping. (Ex see NMAP help for different ways of scaning a network or a box). So filtering ICMP probably is not a cause for negative results.

Q2You have the SOA presented below in you Zone. Your secondary servers have not been able to contact your primary server to synchronise information. How long will the secondary servers attempt to conact the primary server before it considers that zone is dead and stops responding to queries?college.edu (200302028 3600 3600 6+4800 3600)

a. 1 dayb. 1 hourc. 1 weekd. 1 month

Answer: C

i thought the answer is 1 hour??60sec x 60 = 3600seconds

To my knowladge 1 hr seems to correct. But again I am not a DNS expert. It seems that the definition of the TTL has changed at some time ( see hxxp://www.zytrax.com/books/dns/ch8/soa.html ). Sorry I dont have time to read and give a full explanation.

Q3Joe worried that network adminstrator miht detect the wiretap program by queryingthe interfaces to see of they are running in promiscuous mode.

a. Block output to the console whenever the user runs ifconfig command by running screencapture utilityb. Run the wiretap program in stealth mode from being detected by the ifconfig commandc. Repalce original ifconfig utility with the rootkit version of ifconfig hidingPromiscuous information being displayed on the consoled. You cannor disable Promiscuous mode detection on Linux Systems.

A. Configure web server to deny alerts from these attacksB. Create rules in IDS to alert on strange Unicode requestsC. Use SSL authentication on Web ServersD. Enable Active scri[ts detection at the firewall and routers.

Answer given is B

The only reason i thought of its IDS deployed infront of the web server (DMZ segment)

what about A? can we configure the webserver to deny unicode request?

Ar you sure u reproduced this question correctly ?"Configure web server to deny alerts from these attacks" doest make much sense. If the option is "Configure web server to deny unicode request", then u have a point. This is one of the ambigous questions which I too found in CEH. Both A and B can be correct based on defferent scenarios.

5.Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides tosave the page locally, so that he can modify the page variables. In the context of web application security,what do you think Bubba has changes?

A. A hidden form field value.B. A hidden price value.C. An integer variable.D. A page cannot be changed locally, as it is served by a web server.

Answer given is A.

I was thinking whether the answer could be D.Even the entire page is downloaded into our PC, we changed the value locally, but it doesnt reflect in the server such via POST method...

Answer A is correct. U can save a page locally and change a form field value and resubmit. Most popular ecommerce sites have protection against this. But I can give you u live ecommerce site in the internet where u can do this. U can actully add a $30 item to ur shopping cart with a price tag of $10. But..... it is unethical to disclose the site and it will be even worse it somebody try purchase stuff that way. ..... And "YES" I did go upto the purchase point and "NO" I did not buy anything this way.

To my knowladge 1 hr seems to correct. But again I am not a DNS expert. It seems that the definition of the TTL has changed at some time ( see hxxp://www.zytrax.com/books/dns/ch8/soa.html ). Sorry I dont have time to read and give a full explanation.

I did a check and the answer is indeed 1 hour

Q 4Ar you sure u reproduced this question correctly ?"Configure web server to deny alerts from these attacks" doest make much sense. If the option is "Configure web server to deny unicode request", then u have a point. This is one of the ambigous questions which I too found in CEH. Both A and B can be correct based on defferent scenarios.

6.You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23live systems and after scanning each of them, you notice that they all show port 21in closed state.

What should be the next logical step that should be performed?

A. Connect to open ports to discover applications.B. Perform a ping sweep to identify any additional systems that might be up.C. Perform a SYN scan on port 21 to identify any additional systems that might be upD. Re-scan every pc to vertify results

Ans is C.

I dont understand this. Since we had performed a scan and discovered 23 'live' system. Port 21 in 23 systems are closed. I believe there's a TCP port scan on a specific subnet to discover 23 'live' system.

Why do we need to perform another syn scan on port 21 to discover more 'live' systems!!The only reason i derived is to perform another tcp scan on another subnet.

7.Which of the following statements about a zone transfer correct? (Choose 3)

A. A zone transfer is accomplished with DNSB. A zone transfer is accomplished with the nslookup serviceC. A zone transfer passes all zone information that a DNS server maintainsD. A zone transfer passes all zone information that a nslookup server maintainsE. A zone transfer can be prevented by blocking all inbound TCP port 53 connectionsF. Zone transfer cannot occur on the Internet.

Which of the following statements about a zone transfer correct? (Choose 3)

A. A zone transfer is accomplished with DNSB. A zone transfer is accomplished with the nslookup serviceC. A zone transfer passes all zone information that a DNS server maintainsD. A zone transfer passes all zone information that a nslookup server maintainsE. A zone transfer can be prevented by blocking all inbound TCP port 53 connectionsF. Zone transfer cannot occur on the Internet.

Ans: A , C , E

* U need a DNS server to get the zone* U use the tool nslookup to carry out the zone transfer.

So it all depends on how u interpret the word "accomplished". I would prefer B over A in this case. In the absence of B, the best answer would be A.

But ultimately the correct answer is what the EC council expects, and that only God knows

A. Configure web server to deny alerts from these attacksB. Create rules in IDS to alert on strange Unicode requestsC. Use SSL authentication on Web ServersD. Enable Active scri[ts detection at the firewall and routers.

Answer given is B, and i thought answer should be A.

I suppose 'these attacks' are referring to the unicode expoilts

IDS, unlike IPS (Intrusion Prevention Devices) only detect but couldnt prevent the expoilts. If its is a IPS deployed infront of the web server, it willable to 'match' the expoilts based on the created rules.

8.While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

However, you are concerned about affecting the normal functionalityof the email server. From the following options, choose how best you can achieve this objective?

A. Block port 25 at the firewallB. Shut off the SMTP service on the serverC. Force all connections to use a username and passwordD. Switch from Windows Echange to UNIX sendmail.E. None of the above.

Answer is E. I thought the answer is C.

Most of the ISP had enforced smtp authentication or 'pop before send'. Probably i think a step ahead, like security measures/controls...

The only reason I can think of about AT chose E; initally when we telnet inport 25, we do not need to authenticate.

I cannot see the logic of how denying alerts from web server can help unicode attacks

8.While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

However, you are concerned about affecting the normal functionalityof the email server. From the following options, choose how best you can achieve this objective?

A. Block port 25 at the firewallB. Shut off the SMTP service on the serverC. Force all connections to use a username and passwordD. Switch from Windows Echange to UNIX sendmail.E. None of the above.

I dont know much about pop before smtp, but this method seems to work only in caseses designated users are allowed to relay mail though a specific mail server. But if I want to send a mail to dareth@xyz.com, u cannot enforce pop before smtp to me. U need to open the port smtp of xyz mail server.

If the port is open, u can telnet and grab the banner. But there are probably methods to restrict manual telnet. ( eg implienting a quick timeouts )

I realize you want to verify the questions and everything, but I really don't think you should be posting actual test questions here in this forum. You are violating the legal agtreement you signed when you do the exam; if someone from EC-council should see you doing this, they would very easily be within their rights to revoke your certification and even prosecute you in court. Microsoft has done it in the past. You are destroying the integrity and value of the exam. Don should come along and delete this entre thread.

You could probably discuss this better via email or even PM, but not in a public forum like this.

Just a warning: you should imeddiately CEASE AND DESIST!! I'm not a lawyer, but even I know better than to do this.

This is a form of CHEATING, and is not ethical. There may be other people studying for the exam, and this is not the correct way to learn.

I guess this is why you guys are still newbies.

Last edited by oyle on Fri Oct 20, 2006 11:12 am, edited 1 time in total.

MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH --------------------"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

1. Members are responsible and liable for their own posts not the owners of the site.2. This was from ActualTests. He didn't claim it was from the real CEH exam. We could debate where they get their questions and answers, but I won't do that now. So as far as we know, this is simply a practice exam which is legal. He also didn't just ask for the answers. He gave what he thought the answer should be and why he thought it was wrong. So if anything, this once again proves that, although the legality of such products is debatable, they often have wrong answers, so the decision to use them is considered unwise.3. Oyle has every right to question the validity of the post and warn against possible backlash from the cert org.

OK, I take it that "Actual tests" is something similar to "Testkillers", where you purchase actual test questions and answers to prepare for the actual exam. I personally have never heard of "Actual Tests", but there are so many of these things out there, it's possible.

I would put no faith into these things at all; the best alternative is actual, hands-on experience. Good luck with that.

I would strongly suggest that they not post these things here; while they may be looking for "feebback/views" we all know they are in search of a correct answer.

Maybe in the future, if they really want to do these, post them and DON'T phrase them as a question; post them in the manner that TheMorpheus posts them in, as a hypothetical situation; Don't just list the question and then 4 multiple choice answers.

I'm not aware of Don's actual relationship, but I know that Don had talked previously with people at EC-Council. What's to stop someone from EC-Council from browsing the forums here and having him discover this thread? Then Don would be in trouble, as he is resposnible for this forum? Then we risk the possibilty of EH-Net being shut down, and NONE of us wants that. I sure don't.

Yoc can call me any name you want, I don't care. But I'm trying to save a valuable resource here, and besides: I enjoy it here, and I don't want to see it go away.

I SURE as heck don't want to see DON get in trouble. if he does, I'm going to be mad. >:(

People don't like me when I'm mad. I turn all green, and get big, and bust out of my shirt, and, we'll, you wouldn't like me when I'm mad. I smash.

PLEASE don't do this anymore!!

Last edited by oyle on Fri Oct 20, 2006 4:03 pm, edited 1 time in total.

MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH --------------------"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

I don’t think we need to insult the posters here and call them newbs, etc.. It seemed to me they had genuine concerns and had no malicious intent. Also, I think Don asked that we post about this on a new thread. Perhaps it would be better in the future if someone had questions concerning mistakes in test preps or test cheats or whatever you want to call it, they just post a question and not copy and paste from materials like this. And don’t disclose where it came from.

Question 7nslookup is a tool not a service. Zone transfers are done by the DNS service. It is true that a zone transfer can be attempted by using nslookup with the ls -d flags but this is not the norm and is rarely successful. The correct answer in my opinion is as originally stated A, C, E.

Question 8For this question you have to understand how SMTP works. Read RFC 821 and also RFC 2821. When any RFC compliant device tries to send mail, it first gets the MX and A record of the receiving mail server, and then tries to open an SMTP session on port 25. If a valid session is opened, the mail will be sent.

While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

This is normal behaviour as per the RFC's.

A. Block port 25 at the firewall This is wrong as it will not allow valid SMTP sessions and will "affect the normal functionality of the email server."B. Shut off the SMTP service on the server As above.C. Force all connections to use a username and password Authentication will only verify the legitimacy of the person/bot tryng to send mail, but they have to open an SMTP session on port 25 first before authentication.D. Switch from Windows Echange to UNIX sendmail. This won't help as both use SMTP on port 25.E. None of the above. This is correct. there is no way of blocking port 25 without "affecting the normal functionality of the email server."

Last edited by Negrita on Fri Oct 20, 2006 8:39 pm, edited 1 time in total.

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Thanks for everybosy's feedbacks Skel: thanks for the feedbacks. Negrita: i will read the RFCs..

I wish to apologise if i had caused any dis-comforts to anyone here... I do not wish to re-produce the question but i afraid i would have produced the questions wrongly, which act according to my thoughts.

moderator: u can erase this thread anytime.

I took the test and pass with rather good results. Once again, i really appreciate those who help me to clarify some doubts along the way. A reminder to those who's taking, dont trust the answers too much, whether its TK,AT, etc..

cheers,Dareth

Last edited by dareth on Fri Oct 20, 2006 11:42 pm, edited 1 time in total.